Skip to content

Commit 7507bd5

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add Security Rules for TOCTOU Race Conditions in C/C++ File Operations (#193)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * file-stat-before-action-c * file-stat-before-action-cpp --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent ee25e84 commit 7507bd5

6 files changed

+1297
-0
lines changed

rules/c/security/file-stat-before-action-c.yml

Lines changed: 338 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,338 @@
1+
id: file-stat-before-action-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
A check is done with `stat` and then the file is used. There is no guarantee that the status of the file has not changed since the call to `stat` which may allow attackers to bypass permission checks.
6+
note: >-
7+
[CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition
8+
[REFERENCES]
9+
- https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files
10+
11+
ast-grep-essentials: true
12+
13+
utils:
14+
PATTERN_1(identifier)nth1:
15+
kind: identifier
16+
regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$
17+
all:
18+
- not:
19+
inside:
20+
stopBy: end
21+
kind: parenthesized_expression
22+
nthChild: 1
23+
inside:
24+
kind: if_statement
25+
- precedes:
26+
kind: argument_list
27+
has:
28+
pattern: $SRC
29+
- inside:
30+
kind: call_expression
31+
not:
32+
inside:
33+
kind: field_expression
34+
inside:
35+
stopBy: end
36+
kind: compound_statement
37+
inside:
38+
kind: if_statement
39+
has:
40+
kind: parenthesized_expression
41+
has:
42+
stopBy: end
43+
any:
44+
- kind: binary_expression
45+
has:
46+
stopBy: end
47+
kind: parenthesized_expression
48+
has:
49+
kind: binary_expression
50+
all:
51+
- has:
52+
kind: call_expression
53+
nthChild: 1
54+
all:
55+
- has:
56+
kind: identifier
57+
regex: ^(stat|_stat|lstat|_lstat)$
58+
precedes:
59+
kind: argument_list
60+
all:
61+
- has:
62+
nthChild: 1
63+
pattern: $SRC
64+
- has:
65+
kind: number_literal
66+
regex: ^(0)$
67+
- kind: binary_expression
68+
all:
69+
- has:
70+
nthChild: 1
71+
kind: call_expression
72+
all:
73+
- has:
74+
nthChild: 1
75+
kind: identifier
76+
regex: ^(stat|_stat|lstat|_lstat)$
77+
- has:
78+
nthChild: 2
79+
kind: argument_list
80+
all:
81+
- has:
82+
nthChild: 1
83+
pattern: $SRC
84+
- has:
85+
nthChild: 2
86+
kind: number_literal
87+
regex: ^(0)$
88+
follows:
89+
regex: ^==$
90+
91+
PATTERN_1(identifier)nth2:
92+
kind: identifier
93+
regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$
94+
all:
95+
- not:
96+
inside:
97+
stopBy: end
98+
kind: parenthesized_expression
99+
nthChild: 1
100+
inside:
101+
kind: if_statement
102+
- precedes:
103+
kind: argument_list
104+
has:
105+
pattern: $SRC
106+
- inside:
107+
kind: call_expression
108+
not:
109+
inside:
110+
kind: field_expression
111+
inside:
112+
stopBy: end
113+
kind: compound_statement
114+
inside:
115+
kind: if_statement
116+
has:
117+
kind: parenthesized_expression
118+
has:
119+
stopBy: end
120+
any:
121+
- kind: binary_expression
122+
has:
123+
stopBy: end
124+
kind: parenthesized_expression
125+
has:
126+
kind: binary_expression
127+
all:
128+
- has:
129+
kind: call_expression
130+
nthChild: 1
131+
all:
132+
- has:
133+
kind: identifier
134+
regex: ^(fstatat|_fstatat)$
135+
precedes:
136+
kind: argument_list
137+
all:
138+
- has:
139+
nthChild: 3
140+
pattern: $SRC
141+
- has:
142+
kind: number_literal
143+
regex: ^(0)$
144+
follows:
145+
regex: ^==$
146+
- kind: binary_expression
147+
all:
148+
- has:
149+
nthChild: 1
150+
kind: call_expression
151+
all:
152+
- has:
153+
nthChild: 1
154+
kind: identifier
155+
regex: ^(fstatat|_fstatat)$
156+
- has:
157+
nthChild: 2
158+
kind: argument_list
159+
all:
160+
- has:
161+
nthChild: 2
162+
pattern: $SRC
163+
- has:
164+
nthChild: 2
165+
kind: number_literal
166+
regex: ^(0)$
167+
follows:
168+
regex: ^==$
169+
170+
identifier:
171+
any:
172+
- kind: identifier
173+
regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$
174+
175+
PATTERN_3(field_expression)(identifier)nth1:
176+
kind: field_expression
177+
has:
178+
nthChild: 1
179+
stopBy: end
180+
matches: identifier
181+
all:
182+
- not:
183+
inside:
184+
stopBy: end
185+
kind: parenthesized_expression
186+
nthChild: 1
187+
inside:
188+
kind: if_statement
189+
- precedes:
190+
kind: argument_list
191+
has:
192+
pattern: $SRC
193+
- inside:
194+
kind: call_expression
195+
inside:
196+
stopBy: end
197+
kind: compound_statement
198+
inside:
199+
kind: if_statement
200+
has:
201+
kind: parenthesized_expression
202+
has:
203+
stopBy: end
204+
any:
205+
- kind: binary_expression
206+
has:
207+
stopBy: end
208+
kind: parenthesized_expression
209+
has:
210+
kind: binary_expression
211+
all:
212+
- has:
213+
kind: call_expression
214+
nthChild: 1
215+
all:
216+
- has:
217+
kind: identifier
218+
regex: ^(stat|_stat|lstat|_lstat)$
219+
precedes:
220+
kind: argument_list
221+
all:
222+
- has:
223+
nthChild: 1
224+
pattern: $SRC
225+
- has:
226+
kind: number_literal
227+
regex: ^(0)$
228+
follows:
229+
regex: ^==$
230+
- kind: binary_expression
231+
all:
232+
- has:
233+
nthChild: 1
234+
kind: call_expression
235+
all:
236+
- has:
237+
nthChild: 1
238+
kind: identifier
239+
regex: ^(stat|_stat|lstat|_lstat)$
240+
- has:
241+
nthChild: 2
242+
kind: argument_list
243+
all:
244+
- has:
245+
nthChild: 1
246+
pattern: $SRC
247+
- has:
248+
nthChild: 2
249+
kind: number_literal
250+
regex: ^(0)$
251+
follows:
252+
regex: ^==$
253+
254+
PATTERN_3(field_expression)(identifier)nth2:
255+
kind: field_expression
256+
has:
257+
nthChild: 1
258+
stopBy: end
259+
matches: identifier
260+
all:
261+
- not:
262+
inside:
263+
stopBy: end
264+
kind: parenthesized_expression
265+
nthChild: 1
266+
inside:
267+
kind: if_statement
268+
- precedes:
269+
kind: argument_list
270+
has:
271+
pattern: $SRC
272+
- inside:
273+
kind: call_expression
274+
inside:
275+
stopBy: end
276+
kind: compound_statement
277+
inside:
278+
kind: if_statement
279+
has:
280+
kind: parenthesized_expression
281+
has:
282+
stopBy: end
283+
any:
284+
- kind: binary_expression
285+
has:
286+
stopBy: end
287+
kind: parenthesized_expression
288+
has:
289+
kind: binary_expression
290+
all:
291+
- has:
292+
kind: call_expression
293+
nthChild: 1
294+
all:
295+
- has:
296+
kind: identifier
297+
regex: ^(fstatat|_fstatat)$
298+
precedes:
299+
kind: argument_list
300+
all:
301+
- has:
302+
nthChild: 2
303+
pattern: $SRC
304+
- has:
305+
kind: number_literal
306+
regex: ^(0)$
307+
follows:
308+
regex: ^==$
309+
- kind: binary_expression
310+
all:
311+
- has:
312+
nthChild: 1
313+
kind: call_expression
314+
all:
315+
- has:
316+
nthChild: 1
317+
kind: identifier
318+
regex: ^(fstatat|_fstatat)$
319+
- has:
320+
nthChild: 2
321+
kind: argument_list
322+
all:
323+
- has:
324+
nthChild: 2
325+
pattern: $SRC
326+
- has:
327+
nthChild: 2
328+
kind: number_literal
329+
regex: ^(0)$
330+
follows:
331+
regex: ^==$
332+
333+
rule:
334+
any:
335+
- matches: PATTERN_1(identifier)nth1
336+
- matches: PATTERN_1(identifier)nth2
337+
- matches: PATTERN_3(field_expression)(identifier)nth1
338+
- matches: PATTERN_3(field_expression)(identifier)nth2

0 commit comments

Comments
 (0)